Exit of Apple's security chief offers lessons for security professionals

Monday, November 7, 2011

YARMOUTH, Maine—The recent news that Apple's VP of global security has left the company in the wake of last summer's controversial investigation into a missing iPhone prototype highlights the potential pitfalls former law enforcement officers face when transitioning into the private sector, one security professional who specializes in intellectual property investigations, among other things, told Security Director News.

The facts surrounding John Theriault's departure from Apple and the investigation he oversaw last summer into the loss of a yet-to-be-released iPhone—including concerns that Apple investigators impersonated police officers—are still sparse. However, what is known about the investigation—that Apple investigators searched for the missing prototype in a private home in San Francisco after arriving with plain-clothed SFPD officers—and the public allegations of the homeowner—that he was threatened and that the Apple investigators didn't identify themselves properly—produced some messy headlines for the tech giant, which is more accustomed to being lauded for the sleek design and user-friendliness of its consumer electronic products.

"It didn’t do much for the reputation of Apple," Eugene Ferraro, CEO of Business Controls Inc., told Security Director News.

Ferraro said he has nothing against law enforcement officers, but points out that sometimes the mindset they develop over the years as a police officer or FBI agent don't serve them well in the private sector, where there's often much more to be aware of—like a company's reputation—than just catching the bad guy. Theriault was with the FBI for 26 years before entering the private sector in 1996 as the CSO for Pfizer. He became Apple's VP of global security in 2007. "The tendency to hire those in law enforcement sometimes precipitates these type of outcomes," he said. "The problem isn’t that these people have law enforcement experience or cops are inherently stupid. That's not the issue. The problem is they bring with them to corporate America the mindset that the security function is similar to law enforcement. It's not. Law enforcement's responsibility is the enforcement of public laws. That's it," Ferraro, said. "I task any security director to look at their corporate mission statement and find where it says our job is to put as many people as we can in jail." He went on to say the job of a security director "is to protect the interests and assets of the owners and shareholders and those that have interest in the organization."

Not all the facts concerning the Apple investigation are known, Ferraro admits, but given what is known—that the SFPD was involved and Apple's investigators searched a private home—he said it sounds like a plan a law enforcement officer would come up with. "In one regard, it's a little bit predictable," Ferraro said. "Instead of hiring people who are familiar with business, they hire people who used to investigate bank robberies and said, 'go find the phone.'" Ferraro said former law enforcement officers who can shift their mindsets away from law enforcement and focus on corporate security can successfully make the transition to the private sector, but it's not always easy.

The mistake, Ferraro said, is approaching the problem with the ultimate goal of catching the perpetrators and putting them in jail versus making a careful assessment (Ferraro cites seven distinct phases of an investigation) of how the IP theft damages the organization, how to mitigate that damage and determine how, if the investigation is completed, to manage any fallout that would damage the reputation of the company. "I would think the people who orchestrated this search didn’t answer those basic questions," Ferraro said. "Their approach and actions were monolithic: Let's get this stuff back."

Involving the SFPD was a problem to begin with, Ferraro said. "When it comes to intellectual property, the police are probably the last on your call list," he said. "It's sort of like calling the IRS because your corporation thinks they under-reported their earnings last year by  $300 million."

The responsibility for protecting intellectual property is relatively new part of security professionals' job descriptions, having previously been the purview of lawyers and HR people, Ferraro said. "Increasingly, because intellectual property is playing such an important role in the competitive world of international business, organizations are going: 'How come our security department isn't doing more?'"

The most important lesson from the news, Ferraro said, is: "Think before you act. Just because you know you can do something … it doesn’t mean it's a smart thing to do."


We concur with many of Mr. Ferraro's assessments in that frequently you find a law enforcement approach contradictory to the corporate asset protection or management approach of the private sector.
First loss prevention professionals have become much more savvy in regards to business acumen and are frequently the go to personnel in an organization used to identify operational exposures, process deficiencies, and training gaps in addition to their traditional roles of the past.
The approach of the FBI and similar agencies are a result of the process they have to use, which is to secure everything first by flexing their "powers" and investigate after they have collected quantities of evidence. In that world it is necessary to secure evidence in that manner before it is destroyed or missing.

In the private world, we focus on prevention through a variety of means; training, awareness, exception based reporting, audits, and other avenues.

In addition to Ferraro's comments we see the following failures or learning opportunities;
- Apple is a technology based company where a single product like this lost i-phone 4s, which in the first 60 days sold nearly 4M units at an average retail of $300 for $1.2B +/- can make or break the company.

* Policy and process must be established up front to secure IP and products from exposure internally and externally. With a key product like this, it should never have left Apple physically, or should have been assigned a member of security staff to accompany this product and or staff member due to the potential liability if lost, stolen, cloned, etc.

* Employee behavior IS predictable; who reviewed and maintained information on staff member who lost the phone? What were his/her business habits, financial status, personal habits, was there a known risk before this loss?

* Exception based reporting to monitor an organization for loss, fraud, or other liability shouldn't be thought of for inventory, POS, etc., but should be deployed across other data channels, such as expense reporting in order to identify habits, expenses, or fraud harmful to the organization.

* Basic investigation 101 - GPS on cell phones is accurate maybe to 1500 +/- feet, so why on earth would you pinpoint one solitary home to search when it may in fact be the next door neighbor’s house or across the street? Much more investigation should have been done prior to knocking on this door!

* Apple is a technology company and though nothing was stated one way or another regarding this prototype phones capability, however - where was the built in remote functions to turn this phone on or off remotely, monitor calls made, GPS. Where was the data wipe capability where if the phone password was entered incorrectly 1, 2, or 3 times, the phone auto-wiped the memory and all applications in the event of just such a loss?

All in all, some very good learning’s should come from this as unfortunate as it is for the individuals held to account for it.

While Mr. Ferraro makes some good points, the article tends to paint former law enforcement officers who have transitioned to the private sector with a broad brush. There is one sentence in the entire article that acknoweldges that former law enforcement officers might make good CSO's. The rest of the article is pretty negative towards former officers. I am a former law enforcement officer and believe I successfully transitioned to the private sector, as have the numerous former officers I have hired during my private sector career. We see an effective security program as a business enabler and are not out to put bad guys in jail.

The good points Mr. Ferraro makes are overshadowed by his negative assessment of former law enforcement.

It isn't unheard of for a Security Chief, or other person in charge, to be dismissed after presiding over an investigation or other matter that did not go well. However, talk about Monday morning quarter backing under the guise of exploring "lessons learned." The former FBI agent in charge of security was probably very much in tune with corporate policy and the differences between his current job and his job in law enforcement. In fact, I'll bet because he was an FBI agent his "business skills" and sensitivities were operating at 100%. I would look elsewhere in the Apple Corporation for the genisis of this event. Pressure, to include "Get that d**** back" would come in many forms. Our Security Director was the fall guy.

I want to express my disappointment with the SND editorial board for facilitating the irresponsible journalism offered by Whit Richardson in his 11/8/11 article, “Exit of Apple's security chief offers lessons for security professionals.” Mr. Richardson’s article casts a negative impression on the abilities of former law enforcement officers to transition into the private sector based on the purely opinionated beliefs of Eugene Ferraro, who, from my research, was never a sworn law enforcement officer. Mr. Richardson writes: “Ferraro said he has nothing against law enforcement officers, but points out that sometimes the mindset they develop over the years as a police officer or FBI agent don't serve them well in the private sector…” I have researched Mr. Ferraro’s educational background and, other than attending Florida Institute of Technology, I was unable to identify his field of study nor any information to support Mr. Ferraro’s competency to make a clinical diagnosis on the mindset or developmental limitations of former law enforcement officers as it pertains to their ability to transition into the private sector. If there is scientific data or statistical proof to support Mr. Ferraro’s assertions, it would have been responsible for Mr. Richardson to have referenced this information.

Since the Mr. Ferraro chose the Apple investigation to espouse his beliefs, let’s examine Mr. Richardson’s article in terms of a statement analysis. (Sorry, after reading the article, my interview/interrogation training and experience tells me more questions are raised than those answered.)

“Not all the facts concerning the Apple investigation are known, Ferraro admits, but given what is known—that the SFPD was involved and Apple's investigators searched a private home—he said it sounds like a plan a law enforcement officer would come up with.” First, Mr. Ferraro admits he doesn’t know all the facts surrounding the investigation, which should give him pause to make any comment regarding this investigation. Second, Mr. Ferraro bases his comments on what Mr. Richardson describes as “…given what is known…” What percentage of the facts was Mr. Ferraro privy to, 10%, 50%, 99%? Did Mr. Richardson ask Mr. Ferraro how much he actually knew about the investigation? Third, Mr. Ferraro is quoted as saying: "Instead of hiring people who are familiar with business, they hire people who used to investigate bank robberies and said, 'go find the phone.'" Does Mr. Ferraro know the investigative experience of the Apple investigators assigned this matter? Although his statement implies the investigators assigned to this matter have no business experience or investigative experience related to business, does Mr. Ferraro have definitive knowledge to support this suggestion? Does Mr. Ferraro have direct knowledge these investigators previously investigated bank robberies, or is this an example of a gross generalization in trying to make a point or discredit someone’s ability to transition from law enforcement into the private sector? Is the direction given to the investigators, “…go find the phone,” part of the factual information to which Mr. Ferraro was privy, 10%, 50%, 99%?

There are many former law enforcement officers who subscribe to SDN. Using a broad brush to paint a negative view over an entire industry of qualified law enforcement professionals is not constructive and serves no meaningful purpose. It is tantamount to me suggesting that those already in the security industry are threatened by former law enforcement professionals now entering the security industry due to the lack the training and skills offered by this emerging group of security professionals. Such an assertion would be baseless and irresponsible. SDN should encourage and support qualified professional interested in pursuing opportunities within the security industry, especially former law enforcement professionals who bring with them a network of professional services that span various industries.

I speak from experience, 25 years in law enforcement and 25 years in the private security sector. I consider Mr. Ferraro’s comments way out of line. I agree with some of the others that have responded, Mr. Ferraro did not have all the facts before making the comments he made. How he can reach some of the conclusions he did and make some of the comments he made shows more that he does not know what he is talking about than his expertise in the security or investigation areas. According to Mr. Ferraro’s assessment maybe we should not hire military veterans because of their past training and experience. Mr. Ferraro I would expect an apology to law enforcement officers as your response as well as an apology from SDN for printing this article.

I have to agree with Joe C. As I read the article it became obvious that Mr. Ferraro has issues with law enforcement that probably goes deep into his background. I too have worked both on the private security and law enforcement side for more years than I care to remember. I have worked with good and bad corporate security directors - some who have had prior law enforcement careers and some who haven't. But since allegations in this article focused on the perceived ineptness of a former FBI agent, Mr. Ferraro needs to understand that federal agents and their agencies are concerned about image to the same extent as corporate America. Federal agents have to work very closely with corporate America in a host of investigations that are conducted. Media reports reflect the number of corporations and corporate principals on a daily basis that are being investigated for corporate wrongdoing. It seems that Mr. Ferraro can only conjure up images of law enforcement dealing with bottom crawler dope dealers and the like. Furthermore, it is not just about throwing someone in jail. It is about finding the facts, clearing individuals who have been accused, and presenting evidence that will hold up in court. I will dare say that since law enforcement must abide by a plethora of federal and state laws that govern interviews, collection of evidence, searches, etc. that law enforcement personnel who have transitioned to corporate security would be more reticent in moving forward recklessly. The laws are not the same in corporate America. Oh well... Mr. Ferraro has received his 3 seconds of fame (or infamy) for his career.

You cannot change the stripes of the tiger, or the mindset of a cop (current or past).

All cops love the power of their badge, the sound of a siren and the click of a Glock. Those who bloviate otherwise are self diluding.

It's like trying to change a woman of ill repute into a lady of the manor. Ain't gonna happen. Next time, Apple should hire an attorney as their Security Chief: at least he or she will know what the law "is". Cops do not know, or care, what the law "is". The have the gun.....

Make no mistake the situation leading up to the above described events in a high tech organization more often than not can put business executives into a frenzy. As the senior security executive at several Fortune 500 companies I more often than not had to slow down discussions driven by opinion and get my business leaders to step back and look at the facts (which are often incomplete) that are know at that time and get them to consider the ramifications to ensure we were not about to make an even bigger series of messes. Like Apple's VP of Security my security background is also the result of a very successful law enforcement career. But I came to my private sector positions with a comprehensive understanding of business. You might say...how is that possible?

I was fortunate to have learned about business before I graduated from college. I didn't learn the keys to running a successful business in an academic environment...I leaned them at the dinner table listening to a father who's career spanned 53 years in the same industry. In his day his business WAS the Microsoft and Apple of its time. I not only listened I worked in the business from the ground up by cleaning floors, filling orders, and eating lunch with the guys (back then there were only guys) in the warehouse. At the same time I was learning the key fundamentals of business.

Anyone in security, or HR, or IT, or sales, or marketing, or any other aspect of business who feels "they know how to handle the situation" without bringing together a number of thought leaders in the business are going to learn some hard lessons and may even put the business in great jeopardy. And that appears to be the case as it is outlined above.

Obviously a person in an executive security position who has had an otherwise outstanding law enforcement career is just as vulnerable to making a serious mistake as any CFO, CIO, or CAO who decide to pursue an issue purely from their perspective and when they decide “I know the answer.” I am always very careful not to judge another because I know "I have not walked a mile in their shoes" and therefore I cannot know all the facts.

Having shared the above there is a legitimate criticism that I feel is hurting many otherwise very talented, skilled and knowledgeable law enforcement professionals as they transition from the public to the private sector. A very high percentage fail and are unwilling to adequately prepare themselves over the last two or three years of their public career to really learn the nuances of business. They don't put in the time to build a wide range of effective business networks; they are awkward when it comes to having in-depth and meaningful discussions with business leaders and as a result they never learn what keeps them up at night. They don't know how to earn the real trust of the business leaders they support. Business folks are just NOT going to open up about their business risks. Until business leaders REALLY TRUST the new (or old) security leader...they are never going to get what they are paying for from their security team. Likewise, the security team is not going to have the positive impact they are capable of having to improve the business bottom line. I work with folks who are in or working toward their own public to private career transition and once THEY TRUST ME…they open up and tell it like it really is. It is at that point we really start to work toward better outcomes.

True success is built on honest and trusting relationships. These take a lot of preparation, time and effort. If any of us are successful we are so because we strive to make the right things happen at the right time and for the right reasons.

Sometimes, and for whatever reason, that just doesn't happen. Again, it is not my role to judge. My role is to continue to learn, learn, learn and not lean on past accomplishments no matter what the title was or how long I had been there. Lastly, besides the life long learning bit my success is also dependant on not letting my ego get in the way of what I am tasked to do. The task in business is to make it safer, more secure and more profitable! A lot of times business leaders cannot relate well to the safer and secure stuff…but they really understand when you use your skills to make the business more profitable! I know…I’ve done it and it’s a lot of fun.

Ferraro and author Richardson may have over-generalized, but they weren’t completely wrong. I've known cops and feds who made smooth and successful transitions into the private sector. Detectives becoming investigators usually works pretty well. Command level and administrators moving to head largish security teams usually works pretty well too.

I've also seen street cops, deputies, and corrections personnel struggle mightily with the transition, from power to influence, from reaction to prevention. I've seen a high profile interagency task force leader take the top spot at a private corporation and a month later place ads to hire an experienced CPP to serve as his second in command. There are corporations who only hire former FBI agents for their security team, regardless one’s qualifications, skill set, and experience. The idea that 20-30 years of success in a highly politicized federal bureaucracy translates into a natural fit in modern corporation, let alone as a fully integrated team player at bleeding edge high tech innovator, is not at all clear to me.

Probably the best thing a successful public policing professional could do to prepare for a second career in private security in corporate America is to get an MBA. Cops don’t automatically make good security managers; they must become thoughtful business professionals who specialize in security.

The august Jerry Brennan, President of the SMR Group, makes a compelling case that the best public protection professionals to run large worldwide risk management organizations are former senior members of the intelligence services or the diplomatic corps. He argues that these folks are experienced working in large highly matrixed organizations at a distance and across time zones, are accustomed to synthesizing information and presenting a range of options and consequences to leadership for decisions which they then act upon, and they are also used to improvising and taking action when conditions require it. It’s a very interesting idea.

Finally, with regard to Theriault's departure from Apple, I wonder if the timing – coming shortly after the passing of Steve Jobs – is coincidental. Was he shielded from dismissal because he was operating on instructions from the very highest level, or was he simply an Apple employee – like the engineer who misplaced the first phone – who Jobs wouldn’t fire for making a mistake?

Stealing is a big sin especially for security officers because they are the ones who is responsible for securing the valuable of a company ang yet they are the ones who is being accused of doing such crime. Law enforcement officers should watch their actions and should not fall into temptations because it is easy to steal a little valued thing  and yet the consiquences behind it is more valuable that the thing you steal.

law enforcement career